MoMusings

Here’s an article of a differnt nature, no malware, no spam, no scams or any of the other usual stuff I write about, this ones about us all making a difference…

Now, don’t get me wrong I’m not a tree hugger, an environmentalist or at the other end of the scale, an anarchist, I’m just an average ‘geek’ that uses too many computers for too many hours of the day. And to help with the guilt of my using all this power and the resulting impact on the environment, I did a little digging and found a little tool yesterday which could well make a massive difference to the amount of carbon and CO2 emissions that I am responsible for; no it doesn’t mean I have to stop being full of hot air, or even stop breathing….Although that probably might help

All of us that use computers, either for work or at home are guilty of leaving them running when we are not always actually using them; this generates significant waste and emissions. To help reduce this you can tweak the power settings on your computer to turn off the display after so many minutes and power down the hard disks when they are not in use. But, how many of us actually do that?

To help make this easier, a useful tool has been released which can help you to save energy and therefore reduce emissions such as CO2 and if enough of us do this we can make a significant impact. So, instead of being part of the problem, we can be come part of the solution.

So, what is it?

It is simply a software tool that you install, and it looks a bit like one of those grid computing type of applications, such as Seti@home, BOINC, World Community Grid, etc. Here’s a picture of what it looks like when it is running:

So, instead of looking for alien signals you can actual do something that will help all of mankind, right here and right now.

I already have it installed on all my computers at home, and have already saved some energy, and I only installed it earlier today.

It is fully customisable, as you can see from these screenshots:

Imagine the impact if all large companies installed this on all their computersll as all home computer users! Not only would they save money [which the bean-counters/bill-payers would approve of], but they could also help to minimise the impact on the environment that their business and/or gaming, chatting, e-mailing or blogging makes too!

Go on you know it makes sense…

It is FREE and doesn’t contain any spyware or other malicious code. You can download it via this banner.

as we

Over the last month the amount of phishing scams I see has risen. In fact, since the beginning of November I have reported over 3,000 new phishing URLs. This is a significant increase for me, as I usually only report around 100 to 150.

Each phishing e-mail is checked, all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn’t yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd. One of these events happened last week, and this post will explain why I considered it not one of the run-of-the-mill phishing scams.

For starters here’s a screenshot of the e-mail I received:

A larger version can be found here.

Nothing too unusual here, this looks like a typical PayPal phishing e-mail, complete with the fake URL. The one you go to, is not the one shown in the e-mail!

For starters here’s a screenshot of the phishing website you saw [yes, past tense as it has now been closed down] when the link in the e-mail was clicked on:

A larger version can be found here.

You can also clearly see at the time I took this screenshot that it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser.

As with the original phishing e-mail, nothing too surprising here, a typical PayPal phishing site.

So, I logged in [using false credentials, of course] and filled out the required forms with my name, address, social security number, date of birth, credit card details [including CVV and PIN]. Everything was just like most other PayPal phishing sites, that is until the confirmation page…

This is what I saw:

A larger version can be found here.

Oh goody, I thought, they are offering me a free download of an ‘eBay Toolbar‘ called VGuard, and it is at version 10, yippee! Of course, I immediately downloaded it and installed it, as most users do, don’t they? [Don’t panic, I did download it, but I didn’t install it].

What I did do, once I had downloaded it was to analyse it, here’s the file information:

FileName: Guardv10.exe.1
FileDateTime: 16/11/2006 17:44:35
Filesize: 149254
MD5: 2fadb5a4f3c80e78197d733255136ba7
CRC32: 7B3A6C60
File Type: PE Executable
Packer: Standard PE File

Interesting is wasn’t even packed using the usual malware authors tools, such as UPX, ACE, and so on.

I had a quick peek at the internals of the file and saw it would create some files and execute them, not just any files, a DOS batch [.BAT] file, very suspicious! So I sent it of to be run in a sandbox, and here are the results:

Guardv10.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* File length: 149254 bytes.
* MD5 hash: 2fadb5a4f3c80e78197d733255136ba7.

[ Changes to filesystem ]
* Creates file C:\TEMP\bt8323.bat.
* Deletes file C:\TEMP\bt8323.bat.

[ Process/window information ]
* Creates an event called .

The results from the sandbox did indeed show that it created a batch file. So, what anti-malware tools detect it. To find out I scanned it using over 30 ‘up-to-the-minute‘ updated anti-malware tools, here are the results:

============================================================

Scan report of: Guardv10.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA Trojan.BAT.Small.BC0B
VBA32 -
VirusBuster -
WebWasher -
YY_Spybot Jupilites,,Installer

============================================================

As you can clearly see, hardly any of them detected anything at all, even the mighty Kaspersky failed to find anything in the file. So, what did I do, the same thing I always do when I find a new malware, I sent it off to all the anti-malware companies to add detection for it to their products.

Sorry, you want to know what it [the mawlare] does? OK.

The sting in the tail mentioned in the title of this posting, is not that the phishers have used a bit of extra social engineering to get a ‘phished‘ target to not only give away their personal and financial data, but they have also got them to download and run, what the end user thinks is a ‘useful‘ toolbar…when in fact what it does is:

Attempts to remove the first four boot configurations from the ‘boot.ini‘ file and then delete the ‘hal.dll‘ file in the Windows ‘System‘ directory. It then copies itself to the Windows ‘Startup‘ folder and proceeds to shutdown [reboot] the computer.

If it is successful this will make the infected computer unbootable and it may also show a rude message in Romanian on the screen.

Now, is that a sting in the tail or not?

Not only have the phishers made off with the users data, but they are also trying to cover their tracks by making the system unusable……any half decent ‘geek‘ could of course resolve the matter fairly easily, but most users would be completely stumped as how to proceed at this point. I suppose they would take it to their local PC expert or repair center?

In my never-ending search for the perfect RSS/Atom reader and/or aggregator, I have been testing the web based one offered by ‘Google‘ known as ‘Google Reader‘, and to be be honest I’m very impressed.

Apart from being browser based, it is similar to many of the other RSS readers out there, but there are some unusual, but useful things that ‘Google Reader‘ does that I don’t think any of the others offer.

One of the great features is the ability to ‘share‘ items that you have received, and think may be of interest to like-minded individuals. So, I have started sharing interesting posts from blogs that I subscribe to here: http://www.google.com/reader/shared/01333213474642457866

You can even get it as a RSS/Atom feed via this link: http://www.google.com/reader/public/atom/user/01333213474642457866/state/com.google/broadcast.

‘Google Reader‘ works well in Internet Explorer, but also works in Firefox too.

If you are also using ‘Google Reader‘, and have a share, then let me know and I’ll take a look. Also, let me know what you think of ‘Google Reader‘, if you use it.

Just for interest, here are just some of the other RSS/Atom readers and/or aggregators I’ve used so far [in no particular order]::

• Awasu
• Firefox, Live bookmarks, Sage and various other plug-ins/add-ons
• RSS Bandit
• Greatnews
• KlipFolio
• Newzie
• Omea reader
• Opera
• SharpReader

If you are also using ‘Google Reader‘, and have a share, then let me know and I’ll take a look. Also, let me know what you think of ‘Google Reader‘, if you use it.

A number of people have asked me for my opinion on the built-in anti-phishing features of both Internet Explorer 7 [IE7] and Firefox 2.0.

They are particularly interested in how good, or bad, they are when compared against one of the most mature and accurate anti-phishing toolbars, this being the one from Netcraft.

So, I managed to spend a bit of time testing both browsers in-built anti-phishing capabilities, the results although not that surprising, were somewhat worrying when you take into account the amount of phishing that is now taking place.

The screeshots below are the results of just one test, but are indicative of the general accuracy of the built-in anti-phishing tools when used instead of the Netcraft toolbar. This is by no means a scientific test. However, I do use the built-in Firefox 2.0 anti-phishing [via Google] feature and the Netcraft toolbar, which co-exist well.

I received a new, for me, phishing scam e-mail which I used as a test for all the anti-phishing features and the Netcraft toolbar, and you can see the results for each of the browsers and tools below:

All the screenshots used in this blog entry have had the URL for the phishing site ‘munged‘, just in case anyone is mad enough to try and visit them

First up is Internet Explorer 7, the latest version of the much-maligned web browser from our old friends at Microsoft. However, you can only install and use IE7 on Windows XP, and even then only if you have Service Pack 2 [SP2] installed.

A larger version of the above screenshot can be found here.

As you can see, with this particular Barclays Bank phish, IE7 doesn’t flag it or warn us in any way that this is a bogus site, and not the real Barclays bank site, not good!

Next up is Firefox 2.0, the latest version of the much-admired, and recommended, web browser from our friends at Mozilla.org. Unlike IE7, you can only install and use Firefox 2.0 on most versions of Windows and even [gasp] Linux and other *NIX flavours too!

A larger version of the above screenshot can be found here.

As you can see, with this particular Barclays Bank phish, Firefox 2.0 does flag and warns us in a very obvious, in your face, kind of way that this is a bogus site, and not the real Barclays bank site, very good!

Staying with Firefox 2.0, let us now disable the in-built anti-phishing facility, and install the latest Netcraft anti-phishing toolbar instead. This works with both Internet Explorer [IE], including version 7, and all Fdoesn’tirefox versions up to and including 2.0. Not only that, but I have found that it will happily co-exist with the in-built anti-phishing feature in Firefox 2.0.

A larger version of the above screenshot can be found here.

As you can see, with this particular Barclays Bank phish, the Netcraft toolbar in Firefox 2.0 not only flags the site, warning us in a very obvious with a large dialogue box, it also doesn’t even allow the page time to render, which is good if there were any nasty scripts embedded in the HTML of the bogus site!

So, in conclusion, the in-built anti-phishing, in all the tests I’ve done so far with the many new phishing scams I get each and every day, in IE7 is really not very good, but in Firefox 2.0 [if using the Google option], is not bad, but neither of the in-built anti-phishing features are as good as using the Netcraft anti-phising toolbar…why?

Well, partly because they get lots of reports from researchers and end-users from all over the net, including me, and we are talking about thousands of new phishing URLS being reported each and every month, and furthermore because their toolbar is not tied to a specific browser this actually help them to get more reports, even from those that insist on still using IE6

For those fans of Opera out there in blogland, the news is that the next version of Opera will have some form of in-built anti-phising feature.

As with most security solutions, you shouldn’t rely on a single layer to protect your computer from attack, be that malware, spam or scams.

You should be using multiple overlapping techniques and/or technologies to ensure that a single point of failure is not likely to result in your defences being breached. So, by all means use the in-built anti-phishing features in IE7 or Firefox 2.0, but augment them with the Netcraft anti-phishing tool and a good dose of safe hex too….belt and braces, that way you are less likely to embarrassed by a failure which would otherwise expose your assets. You wouldn’t want those exposed or frozen, now would you?

No I haven’t fallen off the edge of the world, been kidnapped by aliens, or been hibernating. I’ve been preparing for the Virus Bulletin 2006 conference which was held last week in Montreal, Canada. Before that I was in France for 4 days at a customer site, I have also been updating a presentation for a guest lecture that I will give tomorrow at the University of Warwick, so, I’ve been busy creating and giving presentations. Oh, and that’s on top of my ‘usual‘ workload.

I will post a review of the conference in a week or so, covering my own personal thoughst on the conference and the content. This will include my thoughts on some of the presentations I attended on both the technical and corporate streams.

So, now the conference is over, I can make the paper I presented available to anyone that wants a copy.

Here’s the abstract that I submitted, and was selected back in March:

“Rootkits have been around almost since the start of computing, however over the last two years the threat has changed; no longer is it just a *NIX [Unix/Linux] problem, corporate and academic computers running Microsoft Windows are now an increasing target. We are now at a tipping point; rootkits are no longer a minor annoyance or threat, they are starting to become a major cause for concern.

Many corporate security staff have a rather vague understanding of rootkits, not just what they are, but how they work. Furthermore many have little understanding of the risks to their company or their own home computer.

This paper will explain what rootkits are and how they work. It will also discuss ways to combat them using methods that range from simple security methodologies through to technical solutions. ”

The full paper [in Adobe Acrobat format (PDF)] can be found here: http://arachnid.homeip.net/papers*

All feedback, comments, flames, suggestions, etc. are most welcome.

Normal service will be resumed as soon as I’ve caught up with the backlog of work I have piling up around me. So, if you see a news article saying: “A computer geek was found today buried under piles of work… he was finally extracted, alive, by teams of rescuers digging him out 48 hours after they were alerted to the disaster…” then you know it was probably me.

[*] All my other conference papers and magazine articles I’ve written can also be found there.

It’s a Microsoft themed posting today, I hope Bill is pleased

First we have a new Microsoft patch being sent via e-mail for a new vulnerability, or so you are led to believe. Details below:

Here is a screenshot of the e-mail:

Screenshot courtesy of SOPHOS.


If you are naive enough to believe that Microsoft send patches out via e-mail, then you are the sort of person that would also have infected your computer with Swen when it used the same trick to great effect.

The web link [URL] shown in the e-mail is not where you will go if you are gullible enough to click on the link and download the ‘alleged’ patch.

This uses the same phishing-like trick that I mentioned the other day.

It seems that once more the Bad Guys and Gals are trading tricks to help them get you to infect you computer or disclose person data. Once you have clicked on the link and executed [run] the downloaded file; which is a Trojan horse, the install will display the following bogus message:

“Microsoft WinLogon Service successfully patched.”

In reality the Trojan is now secretly logging all your keystrokes and sending them to an email address belonging to the Bad Guys and Gals that created it.

The good news is that the website being used to home the Trojan has been taken down, so if you haven’t yet infected yourself you’ve missed your chance with this one

Oh, and just in case you didn’t know, there is no such vulnerability and even if there were Microsoft don’t send patches to customers via e-mail like this, got it?

Oh yes I nearly forgot, here is a link to the description of the Trojan itself, known as BeastPWS-C.

Microsoft OneCare Launched Today:

The much vaunted [by Microsoft] ‘OneCare‘ service launches today. ‘OneCare’ is the new anti-malware offering from Microsoft which includes anit-virus and anti-spyware services for home users.

Not surprisingly existing anti-virus and security vendors are jumping on the bandwagon. Just to steal a bit of Microsoft’s thunder on launch day of ‘OneCare’, McAfee is launching their own similar service, named ‘Falcon‘.

Symantec are also planning a similar service which they were going to name ‘Genesis’, however their service is delayed and has also been renamed to ‘Norton 360′.

As previously mentioned on this blog I had a paper selected for the EICAR 2006 conference which was held at the Hotel Hafen in Hamburg, Germany between the 30th of April and the 3rd of May.

The hotel was quite interesting, made up of the ‘Classic’ part [left side of the picture with the hotel name on it]; which was the sailor’s mission [home] from 1864 until 1979, and the new ‘Residenz’ modern section [on the right side, includes the modern tower and you can just see part of the Ellipses]. The conference was held in the modern part of the hotel for the first two days, and then moved to the ‘Classic’, old part of the hotel for the final day.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Sunday 30th April:

The start of the day was used by many of the Working Groups and Task Forces that EICAR has. The conference ‘proper’ was kicked off by Sarah Gordon who gave her keynote speech. Sarah covered some interesting areas such as sociology, ethics and her being seen as a heretic when she originally published some of her research and ideas some years ago. These have now [for the main part] become considered as part of the mainstream. At the end of her keynote, Sarah challenged those in the room to dare to be the next heretic!

This was followed by a panel session about ‘groups’ in both the anti-malware and malware scenes.

After a break, I decided to stay in one of the two streams, this one being held in Ellipse I. The session room was smaller, but the number of people attending them meant that a number had to stand as there was not enough seating. The ones that I found most interesting were:

• Mystery Meat: Where does spam come from, and why does it matter? - Presented by Christopher Lueg.
• Spam Zombies from Outer Space. - Presented by John Aycock and Nathan Friess

Both of these caused a flurry of questions and the lively debate raged on after the sessions.

The end of day 1 was rounded off by the ‘Meet the Experts’ session which was a chance for many of us to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way.

Day 2 - Monday 1st May:

The first sessions of the day that I attended were held in Ellipse II and were all on Spyware; from very different perspectives. I was the second slot of the four to be given during the first half of the morning.

• Spyware: A risk model for business - Presented by Vanja Svajcer
• Spyware: Risks, Issues and Prevention - Presented by Martin Overton
• The Trials and Tribulations of Testing Spyware Solutions: Towards a Testing Methodology - Presented by Larry Bridwell
• A Testing Methodology for Anti-Spyware Product’s Removal Effectiveness - Presented by Josh Harriman

The next set of presentations which I found interesting were these:

• Behavioral Classification - Tony Lee
• TTAnalyze: A Tool for Analyzing Malware - Presented by Ulrich Bayer, Engin Kirda, Christopher Kruegel
• Enlisting the End-User - Education as a Defense Strategy - Presented by Jeannette Jarvis
• Pharming: a real threat? - Presented by David Sancho
• Evolution from a Honeypot to a distributed honey net - Presented by Oliver Auerbach

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied. The after dinner entertainment was supplied by a somewhat manic magician who spoke very fast and almost only in German which left about half to two-thirds of those assembled trying to work out the jokes, punchlines and the general patter that went along with the rather good magic.

Day 3 - Tuesday 2nd May:

On the last day of the main conference we moved from a two stream format to a single stream held in a conference room in the ‘Classic’ part of the hotel. This layout was significantly better than the first two days where it was somewhat cramped and there were no tables, only rows of chairs.

The day started off with another keynote, this time it was given by Professor Klaus Brunnstein. Although it was a very interesting talk he over ran by almost half an hour which put the rest of the days schedule off. Here are the presentations that I found most interesting druing the morning sessions:

• Inherent Technical Risks will lead Information and Knowledge Societies into a risk Society - Presented by Prof. Klaus Brunnstein
• Future Trends in the realm of malware - Presented by Guillaume Lovett
• Windows Rootkits - Presented by Mika Stahlberg

The rootkit one I found particularly interesting as I’m currently writing a paper for the Virus Bulletin conference on this very subject. Thanks go to Mika for helping me by writing and presenting his paper [and sending me his slides too] as this will help me no end in writing mine [with due credit of course].

The afternoon also proved to be eventful as several of the sessions planned had to be removed due to speakers not turning up to present. This meant that the schedule went from being half an hour late to almost an hour early. So, the panel session was moved forward to take up the slack. As usual with panel sessions this proved to be quite animated, especially when David Perry of TREND is part of the panel .

I didn’t stay for the last day [3rd of May] as it was a day just for Task Force meetings.

All in all, this was a very good EICAR conference, in fact it was the best attended ever with almost 100 attendees! I’m already looking forward to next years.

Just in case you didn’t spot the link to my paper, here it is again: Spyware: Risks, Issues and Prevention

Woohoo, my paper on using Bayesian Filtering to classify malware has been mentioned on no other than the ‘Looswire’ blog run by Jeremy Wagstaff. Jeremy, apart from having a very interesting blog is also a regular columnist for WSJ.

The paper was written for and presented at the Virus Bulletin 2004 international conference in Chicago, USA.

The tool he is discussing is POPfile a FREE anti-spam tool for all platforms that support PERL [for Windows you don\’t have to install PERL as it is all part of the Windows install package supplied].

It is very easy to set up and it learns very quickly. Why not give it a try?

The blog entry can be found here: How to Make More Use of the Vicar

The Vicar in question is Thomas Bayes, an 18th Century nonconformist minister who came up with a simple but very effective way to classify things using a simple theorem. If you want to know more then take a look at the paper.

According to a new survey ‘Two-thirds of U.K. businesses fail to patch‘ their Windows desktops and servers. An older survey found ‘Patch Management An Ongoing Challenge For Many Companies‘ with ‘only about one in five completely ready for the next virus attack‘. Why is this a problem?

Well read on, and all will hopefully be made clear:

Over the last few years we have seen the window between a vulnerability being announced and malware exploiting it shrink from years to months, weeks and more often now just a few days[1]. So, this area needs to be addressed in the fight against malware and spyware as many use known vulnerabilities [which have patches available] to gain access to vulnerable systems.

Some of these vulnerabilities may be used when you visit a website which uses exploit code that your system is not yet patched against. These are commonly called ‘drive-by-downloads‘ or ‘drive-by-infections’. In most of these types of attacks, such as with the WMF vulnerability you may not even be aware that your computer has become infected. There is no warning, no download prompt, nothing to warn you or tip you off that something nasty and underhand has taken place during your visit to the site.

So, what can you do?
For home systems and those not already managed via third party or in-house patch management tools, you should at the very least ensure that all Windows systems are set to automatically check the Windows Update website at least once a week. If your systems run Windows 2000, 2003 or XP make sure you enable the Windows update service via Automatic Updates. This will ensure that updates are automatically downloaded and installed on those systems.

If you or your customers prefer to control when windows updates are deployed across their networks then you could use the Microsoft Software Update Server [SUS].

Here is some data on SUS from the Microsoft site:

SUS is a version of Windows Update designed for organizations that want to approve each software update before installing them. SUS allows administrators to quickly and easily deploy Windows related security updates and critical updates to any computer running Windows 2000, Windows XP Professional, or Windows Server 2003 systems. SUS includes the following capabilities:

• Software updates can be approved on each SUS server, enabling testing in a separate environment as well as phased deployments across an enterprise.
• SUS clients, which are the same as the Automatic Update component described earlier, can be configured to download software updates from the SUS server (saving bandwidth on shared Internet connections), or directly from Windows Update.
• Software updates can also be copied onto a CD-ROM from an SUS server connected to the Internet, and then transferred to SUS server in a protected network with no Internet access.

SUS servers require Windows 2000 Server or Windows Server 2003, IIS, and port 80 communications with SUS clients. SUS servers can be configured to synchronize software update packages and approvals either manually or automatically from a parent SUS server (or from Windows Update), enabling flexibility in how the environment is maintained.

There are lots of other third party patch management systems available, and some companies create their own instead of using off-the-shelf patch management tools.

Below are links to articles covering other solutions:

• http://www.networkworld.com/reviews/2003/0303patchrev.html
• http://www.serverwatch.com/tutorials/article.php/3414841
• http://www.serverwatch.com/tutorials/article.php/3381211
• http://www.serverwatch.com/tutorials/article.php/3424551

[1] There have been a number of malware using so-called ‘Zero-day’ exploits. In this case there is no patch from the vendor to actually fix the hole in the operating system or application, and other mitigation techniques are required to partially or ideally completely manage the situation until a patch becomes available. An example of this would be the WMF exploit that surfaced in December 2005, but was not patched by Microsoft until January 2006.

And now for something completely different, but related:
I have blogged about rootkits previously, but I came across a new one recently that I’d never heard of before.

The difference is this one is not a piece of malicious software, actually it is a band named ‘Root Kit‘ from Sydney, Australia. The fun thing is that they have just released a music video cheekily called ‘Patch Me Up‘, hence the title of this entry, and it has lots of security buzzwords in it. Normally I’d just ignore such trivia, however the video is quite good and the song is catchy. There are a few comedy moments in there too.

Let me know what you think of it.

Oh, you want a link to it? No problem, here you go, via Google: http://video.google.com/videoplay?docid=9151435244001559688

If you prefer to download it, you can via this link: http://www.rootkitonline.com/NetNuke/Download/tabid/55/Default.aspx

I mentioned some months ago that I would blog about Spyware, well I finally got round to it, hope it was worth the wait?

So, to start let me actually define what Spyware is in single sentence:-

“Spyware is the generic name for any application that may track your online and/or offline PC activity and is capable of locally saving or transmitting those findings for third parties sometimes with, but more often without your knowledge or consent”.

If you want the full definition of what makes something spyware, then feel free to look here: http://www.antispywarecoalition.org/documents/definitions.htm.

However, don’t expect it to be very concise! Just like virus and other malware nomenclature, if you ask several experts, you’ll probably get multiple and sometimes opposing definitions, you have been warned.

Spyware comes in many forms including adware, keyloggers, Trojans, browser hijackers, and dialers.


Is Spyware a Problem?
Well, according to a number of surveys it is a BIG problem, trouble is that many of those infected may not even be aware of spyware. Furthermore they may be blissfully unaware that their browsing habits, at the very least, or their financial data or every keypress they make is actually being recorded, and being sent to the ‘Bad Guys [TM]’, at the very worst, to use, or should that be mis-use, as they see fit.

• More than 33 percent of system crashes reported to Microsoft were found to be due to spyware.
• Nine out of Ten PCs connected to the Internet are infected with spyware.[2]
• A recent spy audit report[1] published by Earthlink and Webroot found an average of 26.5 spyware traces are present on a given PC. In a six-month period, two million scans found 55 million pieces of spyware.
• 92% of corporate IT managers at companies with more than 100 employees claim they have a “major” spyware problem.[3]

[1] http://www.webroot.com/company/pressmedia/pressreleases/20040804-spywarereport/
[2] National Cyber Security Alliance, June 2003
[3] Web@Work Study, March 2004

How do I get infected:
There are many ways to get infected with spyware, however the most common ways are via web sites that use scripting, known vulnerabilities or social engineering to get you to install their spyware, or spyware being installed as part of a free tool or utility that you installed.

There are many other ways, these include:

• Get in via: Exploits/Vulnerabilities, Browser Helper Objects [BHOs].
• Java, JavaScript, VBScript, Plugins (ActiveX), Cabs/Executables (Viewers).
• Spyware bundled with other applications.
• Other malware downloading and installing Spyware.
• Self-updating spyware/adware ‘multi-component’
• Spyware used to sell anti-spyware tools.
• Spyware disguised as anti-spyware software.

What about Cookies?
No I’m not talking about those yummy things that come with chocolate chips in; amongst other things. However, if you are interested in malware trivia, then you may be interested in what some consider to be the first computer virus[4]; known as ‘Cookie, Cookie Monster or Cookie Bear‘. However, this bears [no pun intended] no relation to the Cookies I’m covering here.

[4] I’m not one of them. The first virus was Elk Cloner, the first PC virus was Brain, which has just had it’s 20th birthday!

The cookies I’m covering here are a way for websites to store session or other data when you visit their site. These ‘cookies’ are not spyware. If you want to classify them as any sort of threat, then classify them as minor ‘privacy’ issue. However they can be used for tracking purposes.

So, What can I do to protect myself?
There are loads of tools that you can use to help fight spyware already on your PC, and others that can stop it getting on there in the first place. The first bit of advice I will offer is to use a browser that doesn’t use/support ActiveX, as this is one of the main ways for spyware to get onto your system. I would suggest that you use Opera or Mozilla/Firefox instead. Don’t get me wrong this won’t stop all spyware getting onto your system via a web browser, but it should help to minimise the risk. Likewise, not visiting the internet’s ‘grey’ areas or its seedy under-belly which help. Also, be very careful with free programs, as some offset the cost of the program by bundling adware or spyware in with their software.

Anti-spyware tools:

• Adaware
• Spybot S&D
• WinPatrol

Be very careful when selecting an anti-spyware solution/tool, as there are a number of them that are spyware in their own right. You can find a list of the known ‘bogus’ anti-spyware and anti-malware tools here: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Here are some other things that you might want to do to help protect your computer:

• Keep your operating system fully patched.
• Be careful of what you download, and read the EULA before you allow the install to continue.
• If you must use Internet Explorer then adjust your settings for ActiveX.

The good news is that many anti-virus products are starting to detect some of the most common spyware. Other vendors have acquired companies that specialise in spyware detection and elimination; these will then be incorporated into the vendors products.

The bad news is that spyware is now commonly used by professional cyber-criminals to steal data, be it corporate secrets or your credit card or bank details. Even worse is that the quality of the spyware is getting better; this means that we are talking about these programs being written by proffesional programmers rather than the more usual stereo-typical malware author. Increasingly we are seing new techniques to make the detection and removal of some spyware very, very, difficult.

Other useful tools:

• CWShredder This can get rid of some of the most pernicious spyware known to man, this being ‘Coolwebsearch’.
• HijackThis I blogged about this tool some time ago, it is a very useful diagnostic tool.
• HijackThis Log Analyser This is a useful site for turning the output of HijackThis into something that means something to most end-users, not just techies or propeller-heads.

Anyone who has other useful tips and/or techniques then please feel free to post them as feedback. I’m sure that there are many others that will help other readers in the endless fight against the growing scourge of spyware.

For those of you who would like to know more about spyware then you are in luck as I’m writing a conference paper on this subject. Spyware is a big and complex arena, and as much as I try, there is no way a single blog entry could ever do it real justice. The paper will be made available after the conference. So, if you are interested then check back around the 6th of May 2006 for a link to the paper.